Is there any way to force Android to route all (but only) public WiFi traffic through a PPTP VPN?

My phone basically has three connectivity scenarios:

AT&T's HSPA+ or LTE. I don't want to use a VPN with this.

Public WiFi. I don't ever want to send anything that isn't tunneled through a VPN over public WiFi. If I just connected to WiFi right now, I don't want Android to instantly launch into all of its pent-up WiFi tasks until I'm connected to the VPN. Ideally, I'd prefer that Android not even broadcast the notification that I'm now WiFi-connected until after the VPN is up. If the VPN drops, I want the traffic to be blocked (or routed over AT&T) until the VPN is re-established.

My home WiFi. I could live with VPN'ing this if it's impossible to distinguish between "my WiFi" and "all other WiFi", but I'd prefer to not VPN it either.

I know that Tasker can theoretically achieve most of these goals, except for one problem: AFAIK, nobody has written a Tasker VPN plugin that works with ICS. Does one exist yet that I've overlooked?

That leaves the second problem -- leaked traffic during the interval between the time the WiFi connects and the VPN is established, and traffic leaked if the VPN dies for some reason while the WiFi remains connected. Is there any way to fix this problem?